Reports in x formerly twitter program: S.No Title Bounty 1 Potential pre-auth RCE on Twitter VPN $20160.0 2 Account Takeover in Periscope TV $7560.0 3 Discoverability by phone number/email restriction bypass $5040.0 4 Incorrect details on OAuth permissions screen allows DMs to be read without permission $2940.0 5 Changing email address on Twitter for Android unsets "Protect your Tweets" $2940.0 6 Periscope iOS app CSRF in follow action due to deeplink $2940.0 7 Twitter iOS fails to validate server certificate and sends oauth token $2100.0 8 CRLF and XSS stored on ton.twitter.com $1680.0 9 XSS and Open Redirect on MoPub Login $1540.0 10 Periscope android app deeplink leads to CSRF in follow action $1540.0 11 Cross-Domain Leakage of X Username / UserID due to Dynamically Generated JS File $1500.0 12 Twitter ID exposure via error-based side-channel attack $1470.0 13 [sms-be-vip.twitter.com] vulnerable to Jetleak $1260.0 14 [dev.twitter.com] XSS and Open Redirect $1120.0 15 Opportunity to obtain private tweets through search widget preview caches $1120.0 16 [dev.twitter.com] XSS and Open Redirect Protection Bypass $1120.0 17 url that twitter mobile site can not load $1120.0 18 Twitter Periscope Clickjacking Vulnerability $1120.0 19 Denial of Service | twitter.com & mobile.twitter.com $1120.0 20 Stored XSS on reports. $700.0 21 Multiple XSS on account settings that can hijack any users in the company. $700.0 22 Information Disclosure through .DS_Store in ██████████ $560.0 23 Twitter for android is exposing user's location to any installed android app $560.0 24 Clickjacking Periscope.tv on Chrome $560.0 25 Improper session handling on web browsers $560.0 26 Protected tweets exposure through the URL $560.0 27 Protected Tweets setting overridden by Android app $560.0 28 Verify any unused email address $560.0 29 cookie injection allow dos attack to periscope.tv $560.0 30 Wrong Interpretation of URL encoded characters, showing different punny code leads to redirection on different domain $560.0 31 iOS app crashed by specially crafted direct message reactions $560.0 32 lack of input validation that can lead Denial of Service (DOS) $560.0 33 Accepting error message on twitter sends you to attacker site $560.0 34 User input validation can lead to DOS $560.0 35 Denial of Service [Chrome] $560.0 36 Safe Redirect Bypass $560.0 37 http request smuggling in pscp.tv and periscope.tv $560.0 38 Android WebViews in Twitter app are vulnerable to UXSS due to configuration and CVE-2020-6506 $560.0 39 Delete direct message history without access the proper conversation_id $560.0 40 Identify the mobile number of a twitter user $560.0 41 Remote 0click exfiltration of Safari user's IP address $560.0 42 Link-shortener bypass (regression on fix for #1032610) $560.0 43 Chained open redirects and use of Ideographic Full Stop defeat Twitter's approach to blocking links $560.0 44 The Deleted Polls is Still Accessable after 30 Days $560.0 45 Improper santization of edit in list feature at twitter leads to delete any twitter user's list cover photo. $560.0 46 Ability to bruteforce mopub account’s password due to lack of rate limitation protection using {ip rotation techniques} $420.0 47 IDOR and statistics leakage in Orders $289.0 48 Vine - overwrite account associated with email via android application $280.0 49 Sensitive Information Disclosure https://cards-dev.twitter.com $280.0 50 ms5 debug page exposing internal info (internal IPs, headers) $280.0 51 [staging-engineering.gnip.com] Publicly accessible GIT directory $280.0 52 AppLovin API Key hardcoded in a Github repo $280.0 53 Reports Modal in app.mopub.com Disclose by any user $280.0 54 login csrf in analytics.mopub.com $280.0 55 [Twitter Open Source] Releases were & are built/executed/tested/released in the context of insecure/untrusted code $280.0 56 Bypassing x profile verification to receive instant blue checkmark and unlimited profile changes $250.0 57 Full Path Disclosure at 27.prd.vine.co $140.0 58 Sub Domain Takeover at mk.prd.vine.co $140.0 59 Listing of Amazon S3 Bucket accessible to any amazon authenticated user (metrics.pscp.tv) $140.0 60 XSS in the "Poll" Feature on Twitter.com $0.0 61 Bypassing Digits web authentication's host validation with HPP $0.0 62 Bypassing callback_url validation on Digits $0.0 63 Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass) $0.0 64 Add tweet to collection CSRF $0.0 65 File Upload XSS in image uploading of App in mopub $0.0 66 Html Injection and Possible XSS in sms-be-vip.twitter.com $0.0 67 reverb.twitter.com redirects to vulnerable reverb.guru $0.0 68 List of a ton of internal twitter servers available on GitHub $0.0 69 View liked twits of private account via publish.twitter.com $0.0 70 XSS using javascript:alert(8007) $0.0 71 Cross-site scripting (reflected) $0.0 72 leaking Digits OAuth authorization to third party websites $0.0 73 Stealing User emails by clickjacking cards.twitter.com/xxx/xxx $0.0 74 GNIP subdomain take over $0.0 75 Remote Unrestricted file Creation/Deletion and Possible RCE. $0.0 76 Attacker can get vine repost user all informations even Ip address and location . $0.0 77 niche s3 buckets are readable/writeable/deleteable by authorized AWS users $0.0 78 DOMXSS in Tweetdeck $0.0 79 SSRF in https://cards-dev.twitter.com/validator $0.0 80 DOM based cookie bomb $0.0 81 CSRF on cards API $0.0 82 Multiple DOMXSS on Amplify Web Player $0.0 83 Bypassing Digits bridge origin validation $0.0 84 HTTP 401 response injection on "amp.twimg.com/amplify-web-player/prod/source.html" through "image_src" parameter $0.0 85 [Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME $0.0 86 [IDOR][translate.twitter.com] Opportunity to change any comment at the forum $0.0 87 [URGENT] Opportunity to publish tweets on any twitters account $0.0 88 [██████████.gnip.com] .htpasswd disclosure $0.0 89 [Studio.twitter.com] See someone else pics $0.0 90 csp bypass + xss $0.0 91 Vine all registered user Private/sensitive information disclosure .[ Ip address/phone no/email and many other informations ] $0.0 92 CSRF on Periscope Web OAuth authorization endpoint $0.0 93 XXE on sms-be-vip.twitter.com in SXMP Processor $0.0 94 Open Redirect $0.0 95 OS Command Execution on User's PC via CSV Injection $0.0 96 Unauthorized Access to Protected Tweets via niche.co API $0.0 97 [CRITICAL] Full account takeover using CSRF $0.0 98 CSRF in twitterflightschool.com ( CAN POST ON TIMELINE WITHOUT USER PERMISSION) $0.0 99 Open Redirect Protection Bypass $0.0 100 Improper Host Detection During Team Up on tweetdeck.twitter.com $0.0 101 Blind XSS in Mobpub Marketplace Admin Production | Sentry via demand.mopub.com (User-Agent) $0.0 102 POODLE SSLv3 bug on multiple twitter smtp servers (mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204) $0.0 103 Persistent DOM-based XSS in https://help.twitter.com via localStorage $0.0 104 CVE-2017-15277 on Profile page $0.0 105 Urgent : Unauthorised Access to Media content of all Direct messages and protected tweets(Indirect object reference) $0.0 106 Highly wormable clickjacking in player card $0.0 107 No Rate Limit in email leads to huge Mass mailings $0.0 108 Incorrect param parsing in Digits web authentication $0.0 109 Global defaming of any twitter user $0.0 110 CORS misconfig | Account Takeover $0.0 111 Opportunity to post hidden comments $0.0 112 Tracking of users on third-party websites using the Twitter cookie, due to a flaw in authenticating image requests $0.0 113 Information Exposure Through Directory Listing vulnerability on 8 vcache**.usw2.snappytv.com websites $0.0 114 CSRF and probable account takeover on https://www.niche.co $0.0 115 Takeover of Twitter-owned domain at mobileapplinking.com $0.0 116 CSRF on https://www.niche.co leads to "account disconnection" $0.0 117 Insufficient OAuth callback validation which leads to Periscope account takeover $0.0 118 [Urgent] Invalidating OAuth2 Bearer token makes TweetDeck unavailable $0.0 119 Twitter lite(Android): Vulnerable to local file steal, Javascript injection, Open redirect $0.0 120 XSS and cache poisoning via upload.twitter.com on ton.twitter.com $0.0 121 XSS via Direct Message deeplinks $0.0 122 HTTPS is not validating TLS mac codes $0.0 123 Subdomain takeover on dev-admin.periscope.tv $0.0 124 Github Token Leaked publicly for https://github.com/mopub $0.0 125 Html Injection and Possible XSS via MathML $0.0 126 Periscope-all Firebase database takeover $0.0 127 Ability to perform actions (Tweet, Retweet, DM) and other actions, unauthenticated, on any account with SMS enabled. $0.0 128 Viral Direct Message Clickjacking via link truncation leading to capture of both Google credentials & installation of malicious 3rd party Twitter App $0.0 129 Access MoPub Reports Data even after Company removed you from their MoPub Account. $0.0 130 XSS on https://app.mopub.com/reports/custom/add/ [new-d1] $0.0 131 Stored XSS in https://app.mopub.com $0.0 132 CRLF injection $0.0 133 protected Tweet settings overwritten by other settings $0.0 134 Creating malformed URLs via new line character in-between two URLs leads to misrepresented hyperlinks in Tweets/DMs $0.0 135 Bypass Password Authentication for updating email and phone number - Security Vulnerability $0.0 136 Reflected XSS in twitterflightschool.com $0.0 137 Twitter Source Label allow 'mongolian vowel separator' U+180E (app name) $0.0 138 NO username used in authenthication to www.mopub.com leading to direct password submission which has unlimited submission rate. $0.0 139 Reset password without knowing current password $0.0 140 character limitation bypass can lead to DoS on Twitter App and 500 Internal Server Error $0.0 141 Bypassing Digits origin validation which leads to account takeover $0.0 142 暴力破解用户密码没有速率控制 $0.0 143 Private list members disclosure via GraphQL $0.0 144 Insufficient validation on Digits bridge $0.0 145 Twitter Media Studio Source Information Disclosure With Analyst Role $0.0 146 XSS via referrer parameter $0.0 147 http request smuggling in twitter.com $0.0 148 Read-only application can publish/delete fleets $0.0 149 Bypass Password Authentication to Update the Password $0.0 150 Bypass Password Authentication to Update the Password $0.0 151 Github Account hijack through broken link in developer.twitter.com $0.0 152 2 Subdomains Takeover at readfu.com $0.0 153 PI leakage By Brute Forcing and Phone number deleting without using password $0.0 154 Open Redirect on https://www.twitterflightschool.com/widgets/experience?destination_url=https://evil.com $0.0 155 Bypass t.co link shortener in Twitter direct messages $0.0 156 Ability to add arbitrary images/descriptions/titles to ohter people's issues via IDOR on getrevue.co $0.0 157 Blind XSS on Twitter's internal Big Data panel at █████████████ $0.0 158 [Bypass fixed #664038 and #519059] Application settings change settings that have been set by the user $0.0 159 Subdomain takeover of images.crossinstall.com $0.0 160 Blind XSS on Twitter's internal Jira panel at ████ allows exfiltration of hackers reports and other sensitive data $0.0 161 Twitter Subscriptions Information Disclosure $0.0 162 Ability to getting Twitter Blue verified badge without purchase it $0.0 163 Able to see Twitter Circle tweets due to improper access control on the "FavoriteTweet" endpoint $0.0 164 Ability to see hidden likes $0.0